Opinion
18-P-1022
07-07-2020
NIKITA BERNSTEIN v. MyJoVE CORPORATION & another.
NOTICE: Summary decisions issued by the Appeals Court pursuant to M.A.C. Rule 23.0, as appearing in 97 Mass. App. Ct. 1017 (2020) (formerly known as rule 1:28, as amended by 73 Mass. App. Ct. 1001 [2009]), are primarily directed to the parties and, therefore, may not fully address the facts of the case or the panel's decisional rationale. Moreover, such decisions are not circulated to the entire court and, therefore, represent only the views of the panel that decided the case. A summary decision pursuant to rule 23.0 or rule 1:28 issued after February 25, 2008, may be cited for its persuasive value but, because of the limitations noted above, not as binding precedent. See Chace v. Curran, 71 Mass. App. Ct. 258, 260 n.4 (2008).
MEMORANDUM AND ORDER PURSUANT TO RULE 23.0
The defendant-in-counterclaim Nikita Bernstein appeals from a $60,313 judgment in favor of the plaintiff-in-counterclaim, MyJoVE Corporation (MyJoVE), entered after a bench trial in the Superior Court. Bernstein is the former chief technology officer (CTO) of MyJoVE, and is also a thirty percent shareholder. Bernstein voluntarily left his CTO position in 2011, but over one year later, in 2012, Bernstein used his knowledge of MyJoVE's computer systems to gain control of MyJoVE's website, and to cut off the e-mail access of MyJoVE's chief executive officer (CEO) for several days. The judgment at issue is based upon claims under three separate Federal statutes, each of which provide protections against unauthorized impairments or invasions of computer systems. Bernstein appeals, claiming that he was authorized to take the actions he did. We affirm.
Background. We summarize the facts as found by the trial judge, supplemented by uncontested facts from the record. See Connor v. Benedict, 481 Mass. 567, 568 (2019). Bernstein contests some of the judge's findings -- disagreements that we reserve for later discussion.
1. MyJoVE and Bernstein. MyJoVE is an Internet-based publisher of scientific journals, which means it transacts business over the Internet, using its website. MyJoVE was founded in 2006 by Bernstein and Moshe Pritsker, each of whom owns thirty percent of the company. Pritsker is the company's president and CEO. Bernstein, prior to 2012, was employed as MyJoVE's CTO.
"JoVE" stands for Journal of Visualized Experiments.
A third cofounder also owns thirty percent, and the remaining ten percent is owned by other investors and employees.
Bernstein's employment was pursuant to a series of written employment agreements, which automatically renewed on an annual basis. The last of these was dated July 14, 2010. Termination of the agreement by either party required six months written notice, unless the decision to terminate was mutual, as was the case here.
In June of 2011, Bernstein informed the company's managers and announced to everyone by e-mail that he would be "gradually stepping down as the CTO" "over the next two months." While Bernstein's June e-mail also stated that he intended to "remain involved" in various company matters in an "advisory capacity," Bernstein's relationship with Pritsker soured over the several weeks succeeding the announcement. On September 30, 2011, the company threw Bernstein a farewell party. That same day, Pritsker sent Bernstein a letter confirming that Bernstein would no longer serve as a MyJoVE employee. Although after September 30 Bernstein remained a thirty percent shareholder and consulted for several months on various issues, including information technology (IT) issues, the judge found that after that date Bernstein was "not at the company, nor an employee."
In October of 2011, MyJOVE hired a director of IT to replace Bernstein. Between October and December of 2011 (and continuing thereafter into 2012), Bernstein became increasingly critical of what he perceived as various missteps by MyJOVE's IT department, as well as, more generally, of Pritsker's management. Bernstein and Pritsker had several disagreements about the extent to which Bernstein would be permitted to interact with other employees, and to have access to the company's offices. Bernstein also became frustrated that Pritsker was not communicating with him as he wished.
MyJoVE operated a website, with the domain name "jove.com." Maintenance of this domain name was essential to the company's operations, as the website was the only way that customers purchased MyJoVE's products. After Bernstein left in September of 2011, Pritsker and two other members of senior management were designated as the super administrators (super admin.) of MyJoVE's "jove.com" domain name. While owned and managed by the company, "jove.com" was technically still registered in Bernstein's name, because he had originally facilitated its purchase. On multiple occasions, MyJoVE requested that Bernstein transfer the registration of "jove.com" to the company, but he did not do so.
MyJoVE bought the "jove.com" domain name in 2007 from an individual who had no affiliation with the company. The purchase was handled by Bernstein, who initially used his personal credit card and was reimbursed by the company a few weeks later.
By the end of 2011, Bernstein's involvement with MyJoVE was as a shareholder; he was no longer an employee or a director; he was no longer involved in the management of the company; he was no longer permitted to physically access the company's offices; and he no longer had a company credit card. In addition, with respect to MyJoVE's computer system and e-mails, by the end of 2011 MyJoVE had changed passwords and removed Bernstein's administrator account privileges. Bernstein no longer had access to MyJoVE's computer system or e-mails.
MyJoVE's board voted to remove Bernstein as a director on November 15, 2011.
2. November of 2012. Approximately one year later, on November 9, 2012, without consulting MyJoVE, Bernstein took several actions with respect to MyJoVE's computer systems. First, he transferred the "jove.com" domain name to a personal account he had created. He was able to do this because "jove.com" was still registered in his name. Upon transfer to his own account, Bernstein was able to gain access to MyJoVE's e-mails, and to change the password on Pritsker's account. Bernstein also regained his administrator account privileges by substituting his name as MyJoVE's super admin., in place of the MyJoVE designees, thereby preventing MyJoVE from blocking his access. As a result, over the next six days, Bernstein disrupted MyJoVE's ability to control its own system, including blocking Pritsker from accessing his own e-mails. The judge found that Bernstein did not have the authority or permission to change administrator privileges or to modify passwords on any MyJoVE e-mail account in November of 2012 (or indeed, at any time during 2012).
Bernstein stated that the reason he locked Pritsker out of his e-mail account was to "force" Pritsker to meet with him.
Shareholders who were not employees were not given access or account privileges to the company's e-mails or computer system.
In an effort to determine what had happened to its system, MyJoVE engaged a computer security firm to conduct a forensic investigation and to assist with remediation of the company's computer system; it also engaged legal counsel to pursue remedies, including a preliminary injunction.
3. This lawsuit. In August of 2012, shortly before the events detailed above, Bernstein initiated this action by filing a complaint seeking to inspect MyJoVE's books and records. Bernstein's claim was eventually dismissed on the defendant's motion to dismiss.
Bernstein had filed a petition for a writ of mandamus against Pritsker, as president and CEO of MyJoVE, seeking inspection of MyJoVE's records pursuant to G. L. c. 156D, § 16.04. He does not appeal this dismissal here, and Pritsker, in his individual capacity, is not a party to this appeal.
After the events of November 2012, MyJoVE amended its counterclaims, and on November 13, 2012, MyJoVE obtained a preliminary injunction to compel Bernstein to relinquish the "jove.com" domain name, and to return control of the company's computer system to the company. Bernstein complied with the order on November 15, 2012. However, before doing so, Bernstein downloaded certain files from MyJoVE's electronic file storage to his own computer. For this, Bernstein was held in contempt.
MyJoVE's counterclaims also sought damages, based upon alleged violations of various Federal statutes directed at preventing computer hacking -- the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (count I), Title II of the Electronic Communications Privacy Act (ECPA), also known as the Stored Communications Act, 18 U.S.C. §§ 2701, 2707 (count II), and Title I of ECPA, also known as the Wiretap Act, 18 U.S.C. §§ 2511, 2520 (count III).
A Superior Court judge held a jury-waived trial on MyJoVE's counterclaims in July of 2016. In March of 2018 the judge awarded MyJoVE actual damages of $36,742, plus $5,000 in punitive damages. He also awarded MyJoVE $65,000 in attorney's fees, plus pre and postjudgment interest and costs. Bernstein appeals.
Bernstein does not challenge the award of punitive damages or the award for attorney's fees and costs. Nor does Bernstein challenge the contempt order against him, or its accompanying award of $7,592.36 in legal fees and costs.
Discussion. We review the trial judge's rulings of law de novo, and his factual findings for clear error. See Trace Constr., Inc. v. Dana Barros Sports Complex, LLC, 459 Mass. 346, 351 (2011); Mass. R. Civ. P. 52 (a), as amended, 423 Mass. 1402 (1996). The trial judge, "who has a 'firsthand view of the presentation of evidence,'" is in the best position to assess the credibility of the witnesses and the weight of the evidence, especially in a case involving conflicting testimony. Demoulas v. Demoulas Super Mkts., Inc., 424 Mass. 501, 509-510 (1997), quoting New England Canteen Serv., Inc. v. Ashley, 372 Mass. 671, 675 (1977).
1. Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030 (2018). The trial judge found that Bernstein violated two sections of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030(a)(2)(C) and § 1030(a)(5)(B), by accessing e-mails and downloading files from MyJoVE's protected computer system. Both CFAA provisions required MyJoVE to prove that Bernstein accessed the company's computers (1) intentionally and (2) "without authorization." Subsection (a)(2)(C) required, in addition, proof that Bernstein "obtain[ed] . . . information" from the computers; subsection (a)(5)(B) required proof that he "recklessly cause[d] damage."
This section states: "Whoever . . . intentionally accesses a computer without authorization . . . and thereby obtains -- information from any protected computer . . . shall be punished as provided . . . ."
This section states: "Whoever . . . intentionally accesses a protected computer without authorization, and . . . recklessly causes damage . . . shall be punished as provided . . . ."
The statute defines "protected computer" as any computer "which is used in or affecting interstate or foreign commerce or communication." 18 U.S.C. § 1030(e)(2)(B).
Here the judge found that Bernstein violated both § 1030(a)(2)(C) and § 1030(a)(5)(B). Bernstein intentionally accessed MyJoVE's protected computers without authorization when he (1) transferred the jove.com domain name to his own personal account; (2) accessed MyJoVE's account to change administrator privileges -- that is, granted himself super admin. privileges, while downgrading the super admin. privileges held by other MyJoVE employees; (3) accessed Pritsker's e-mail account and intercepted Pritsker's e-mails, and changed the password to that account thereby locking Pritsker out; and (4) downloaded files from MyJoVE's document storage service.
The gist of Bernstein's argument on appeal is that he was authorized to take the actions at issue, or at least, that he acted in good faith out of a desire to help the corporation. Bernstein relies, in particular, on the close corporation cases such as Donahue v. Rodd Electrotype Co., 367 Mass. 578 (1975), which he claims establish that he had an unfettered right, as a thirty percent shareholder, to participate in the management of MyJoVE. Bernstein accordingly posits that he had a right to access the computer system in order to cause Pritsker to meet with him. These arguments fail, for at least three reasons.
First, Bernstein did not bring a claim for breach of fiduciary duty against MyJOVE or Pritsker, as its principal, and we are aware of no authority that would allow Bernstein, as a minority shareholder of a close corporation, to surreptitiously access the company's computers in retaliation for the alleged breach of such a duty. Put differently, whether Bernstein was treated with the "utmost good faith and loyalty," in connection with his resignation or termination in 2011 is simply not before us. Rather, the issue before us is whether Bernstein was authorized, in November of 2012, to access MyJoVE's computer system and to interfere with the company's operations.
Second, the trial judge made several factual findings that establish that Bernstein was not "authorized" to take the actions at issue. The judge found that Bernstein left the company's employ in September of 2011, that the company termed that a "resignation," and that Bernstein did not contest that designation at that time. Thereafter Bernstein may have been involved in some oversight functions, but he was no longer "at the company." Bernstein's successor as CTO changed the company passwords, and did not share them with Bernstein. The judge found that "within a few months of leaving, [Bernstein] was no longer allowed access to company emails." To the extent Bernstein contests these findings, they are not clearly erroneous. Accordingly, even if we were to accept Bernstein's contention that his employment with MyJoVE continued past September 30, 2011, the judge was still more than justified in concluding that when Bernstein accessed the company's computer system over one year later, he knew he was not employed by MyJoVE, and knew he did not have the requisite authorization.
Third, Bernstein's status as a shareholder of a close corporation does not change this analysis. Bernstein was by contract a MyJoVE employee, and he reported to Pritsker, the CEO. Bernstein did not at any time have an unfettered right to participate in management, and he surely did not once he resigned as CTO. More importantly, Bernstein's status as a shareholder of a close corporation did not give him a right to engage in unauthorized acts. "Allowing a party who has [allegedly] suffered harm within a close corporation to seek retribution by disregarding its own duties has no basis in our laws and would undermine fundamental and long-standing fiduciary principles that are essential to corporate governance. . . . 'Rather, if unable to resolve matters amicably, aggrieved parties should take their claims to court and seek judicial resolution.'" Selmark Assocs., Inc. v. Ehrlich, 467 Mass. 525, 552-553 (2014), quoting Rexford Rand Corp. v. Ancel, 58 F.3d 1215, 1221 (7th Cir. 1995). See Donahue, 367 Mass. at 593 n.17 (recognizing that, "[i]n the close corporation, the minority may do equal damage through unscrupulous and improper 'sharp dealings'"). To the extent Bernstein felt aggrieved by any mistreatment he may have received by MyJoVE or Pritsker (including Pritsker's refusal to meet with him), his recourse was not through unauthorized access to the company's computer system.
See Pointer v. Castellani, 455 Mass. 537, 550 (2009), quoting Wilkes v. Springside Nursing Home, Inc., 370 Mass. 842, 850-851 (1976) ("majority shareholders 'have certain rights to what has been termed "selfish ownership" in the corporation which should be balanced against the concept of their fiduciary obligation to the minority,' permitting them 'room to maneuver' and 'a large measure of discretion'").
3. Compensatory damages under the CFAA, 18 U.S.C. § 1030(e)(8) and (e)(11). After finding a CFAA violation, the judge awarded MyJoVE damages of $36,752, pursuant to 18 U.S.C. § 1030(g). Those damages had two components: (1) MyJoVE's cost to retain a firm to evaluate what happened to interrupt its e-mail service ($10,820), and (2) the cost of hiring a law firm to pursue remedies, including a preliminary injunction, against Bernstein ($25,922). Bernstein argues that these damages were not available under the CFAA. We perceive no error.
MyJoVE contends that Bernstein waived this argument by failing to raise it in the Superior Court, but we are unable to discern this from the record before us. We will, in any event, exercise our discretion to consider the argument. See Porio v. Department of Revenue, 80 Mass. App. Ct. 57, 63-64 (2011).
The CFAA expressly provides for a private civil cause of action: "Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages . . . ." 18 U.S.C. § 1030(g). Although this language could perhaps be clearer (the word "damage" is used twice in the sentence, in different ways), the most natural reading is that it allows a plaintiff to recover compensation for "damage" or "loss," both of which are defined terms. Most relevant here is the definition of "loss": "[A]ny reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring . . . the system . . . to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service" (emphasis added). 18 U.S.C. § 1030(e)(11). The damages awarded here easily fit the statutory definition of "loss," as they were costs MyJoVE reasonably incurred in responding to Bernstein's actions -- that is, hiring a computer forensics firm to assess the potential damage done to the company's data system, and hiring an attorney to remedy the breach.
Relying on Jarosch v. American Family Mut. Ins. Co., 837 F. Supp. 2d 980 (E.D. Wis. 2011), Bernstein argues that "loss" under subsection (e)(11) should be narrowly construed, and that compensatory damages are only available if they are "related to the impairment or damage to a computer or computer system." Id. at 1022. That contention, however, is at odds with both the statutory language and the reasoning of several of the Federal Circuit Courts of Appeal. For example, in A.V. v. iParadigms, LLC, 562 F.3d 630, 646 (4th Cir. 2009), the United States Court of Appeals for the Fourth Circuit addressed a claim that the plaintiff had incurred out of pocket costs investigating an unauthorized use of its computer system, where there was no actual impairment of how its system operated. The court held that the act's definition of "loss" "plainly contemplates . . . costs incurred as part of the response to a CFAA violation, including the investigation of an offense." See Brown Jordan Int'l, Inc. v. Carmicle, 846 F.3d 1167, 1173-1174 (11th Cir. 2017); Yoder & Frey Auctioneers, Inc. v. EquipmentFacts, LLC, 774 F.3d 1065, 1073-1074 (6th Cir. 2014). The cases thus do not limit CFAA damages or loss only to actual impairment of a computer system, nor would such a reading be consistent with the statute's language.
4. Stored Communications Act, 18 U.S.C. §§ 2701, 2707 . The trial judge also concluded that Bernstein's actions violated Title II of the Electronic Communications Privacy Act (ECPA), also known as the Stored Communications Act, 18 U.S.C. §§ 2701, 2707 (SCA), count II of MyJoVE's counterclaim. On the same facts, the judge found that Bernstein had intentionally and without authorization intercepted at least ninety-seven e-mails. Considering these interceptions as a single act, the judge determined that, under the SCA, MyJoVE was entitled to the greater of actual damages of $36,742, or statutory damages of no less than $1,000 for such violation. See 18 U.S.C. § 2707(c). To avoid duplicative damages, no compensatory damages were awarded. The judge did, however, award punitive damages, permitted under the SCA, of $5,000. 18 U.S.C. § 2707(c) ("If the violation is willful or intentional, the court may assess punitive damages"). Bernstein makes no argument specific to the punitive damages award. We affirm the award under the SCA for the same reasons stated above.
Section 2701(a) of the SCA provides a cause of action against one who "intentionally accesses without authorization a facility through which an electronic communication service is provided . . . and thereby obtains, alters, or prevents authorized access to . . . [an] electronic communication while it is in electronic storage in such system."
While the judge also found for MyJoVE on its claim pursuant to Title I of ECPA, 18 U.S.C. §§ 2511 and 2520 (Wiretap Act), given that no additional damages were awarded, we need not address the claim here. See Commonwealth v. Brown, 479 Mass. 163, 168 n.3 (2018), quoting Commonwealth v. Domanski, 332 Mass. 66, 78 (1954) (to extent that arguments were not expressly addressed, they "have not been overlooked. We find nothing in them that requires discussion").
5. Appellate attorney's fees and costs. MyJoVE seeks appellate attorney's fees and costs pursuant to 18 U.S.C. § 1030(g) of the CFAA, 18 U.S.C. § 2707(b)-(c) of the SCA, and Fabre v. Walton, 441 Mass. 9 (2004). While such an award is permissible under the Federal statutes, we decline to make such an award here.
Judgment affirmed.
By the Court (Hanlon, Wendlandt & Englander, JJ.),
The panelists are listed in order of seniority.
/s/
Clerk Entered: July 7, 2020.